GDPR is coming – is your Salesforce data ready?

by Jack Bailey-Grundy - February 22, 2018

Last week’s 3rd London’s Calling event brought together 40 speakers across 6 streams to give the lowdown on the latest and greatest tools techniques and trends for Salesforce trailblazers. Obviously one of the hottest topics was of course GDPR.

For me it feels like GDPR preparations have been very focused on the client acquisition and marketing preference side, and only now – at a pretty late stage – are people starting to think about what it means for data held inside Salesforce.

Most people are familiar with the key ‘rights’ of GDPR – but what do they mean for Salesforce customers? In fact, the Rights to Access, Rectification and Erasure have far reaching implications. Can you be sure that you can easily find every piece of information about a client within a month of request? And what about your ex-employees. And if you’ve been holding data for a long time – is it still relevant, do you still have a legal basis to hold it?

This gets even more complicated if you export customer data, or email non-anonymised reports around team members. And that’s before you even consider Analytics tools, AI, recorded voicemails and legacy systems…

There seems to be 2 key aspects to managing GDPR requirements with Salesforce and data in general. Firstly, planning – working out how to find all these areas of information quickly, strategically and comprehensively. Build reports that cover your bases, checklists to make sure everything is covered and have request emails ready to be sent. Secondly, training. Data protection needs to be by design, and not just bolted on. It’s no good to be able to talk the talk – you and your team need to be able to demonstrate what you are doing to ensure compliance. Make sure your users aren’t exporting personal data onto local desktops or emailing reports around the business. Make sure they understand the processes and are following them.

Fortunately, Salesforce, as a customer-centric platform can help – the basic custom objects will already hold a lot of personal data and are related to each other so can easily be searched. Data can easily be anonymised or pseudonymised (although this will not make you fully GDPR compliant), and it’s structure lends itself to a logical and thorough approach to identifying relevant information. Furthermore, Salesforce is committed to growing and supporting this area, so whilst it’s systems may not be fully fledged in this regard, more tools will become available.

Crucially, it’s important to start auditing your systems – identify the pain points now and work out a plan around them. Do you use social sign on, do you use Einstein? If you use Community Cloud, how will you anonymise users so you can keep any posts or inputs that they have entered and you don’t want to lose? Do you need all the information in all the fields? Can your legacy systems do the same thing, or is now the time to consolidate platforms?

And don’t forget, work out a way to verify the request, and to check if you’ve got a legal basis for holding the information, you don’t need to comply with every request.

Ultimately, as we’ve been saying for a while, GDPR doesn’t have to be a scare tactic – it can be a great opportunity to review and refresh your data and imbed some best practices into your organisation.